[Bro-Dev] Support for HTTP body extraction of originator

Siwek, Jonathan Luke jsiwek at illinois.edu
Mon Apr 22 08:05:48 PDT 2013


>> Here's my suggestion: we'd introduce an enum that specifies the
>> direction, e.g., ORIG, RESP, BOTH. Users can then decide what they'd
>> like to have recorded.
> 
> 
> This is all being done through the file analysis framework now and is being abstracted there now.  The script you are having trouble with is being removed.

The script isn't being removed, just changed to use the generic file analysis events instead of http_entity_data.

And the generic file events don't currently specify any direction information, so HTTP extraction will do both request and response bodies, but they can't be controlled independently.  Do I need to add an 'is_orig' flag to at least the 'file_new' event?

- Jon


More information about the bro-dev mailing list